Software application developers use a variety of techniques to protect their applications from unauthorized use and malicious attacks. One such technique includes modeling or matching up the potential security threats with corresponding solutions, for an application that is under development. Traditionally, an application developer models security threats by manually listing the potential security threats and manually listing solutions to address each security threat for that particular application. In some cases, an application developer will model security threats by himself/herself, while in other cases the application developer will assemble a team of software architecture experts or other subject matter experts to discuss potential security issues for application, and to identify solutions for addressing the potential security threats. However, manually modeling security threats may confine the protection to the extent of an application developer's working knowledge of security threats. Additionally, modeling security threats can be a time-consuming procedure that adds procedural burdens or distractions that are above and beyond the substantive need to develop the application itself.
Further, security threat mechanisms in computing systems may use a variety of techniques for detecting potential security threats. Some of those techniques may include comparing the communications traffic of the computing system to one or more digital signatures that are indicative of known security threats. Further, operational characteristics of the computing systems can also be monitored to assist in detecting potential security threats. However, when a computing system detects operational characteristics that exceed normal operational characteristics and that do not match patterns that are indicative of a known security threat, the computing system may have to cease operations, e.g., providing services to users, until one or more human resources evaluate the anomalous operational characteristics detected by the computing system.
What is needed is a method and system that enables automating threat model generation and pattern identification for application developers. What is also needed is a method and system for correlating data or patterns from computing systems or virtual assets with external events to provide additional explanations for deviations in normal operating characteristics.